Deploy Alert Logic XDR

Alert Logic XDR is built with the goal to cover 100% of your attack surface. While 3P EDR is a great solution, Fortra EDR ensures that our SOC has maximum telemetry and host control options. XDR supports many of Alert Logic's options, as well as third-party options such as SentinelOne, CrowdStrike, Carbon Black, and Sophos.

Differences between XDR and Extended Endpoint Protection

Depending on your use case, choose between XDR or Extended Endpoint Protection based on the following:

  • SOC coverage for Fortra EDR, 3P EDR
  • Blocking, full platform support for Extended Endpoint Protection
Technology Built-in / integrated Telemetry OS Response
Alert Logic agent Built-in (MDR, XDR)
  • Server logs
  • Host vulnerabilities
  • Network traffic forwarding
  • File changes
  • Linux
  • Windows server
 SOC incident handling
Alert Logic EEP Built-in (MDR, XDR) Process, behavior monitoring
  • Windows
  • macOS
 Blocking, user notification
Fortra EDR Built-in (XDR) Process, service, network, file monitoring Windows client
  • SOC incident handling
  • SOC containment actions
Third-party EDR Integrated Alerts, telemetry from external EDR stacks varies User-automated containment actions (SentinelOne and MS Defender for Endpoint)

Installation requirements

Before installing Alert Logic XDR on your system, review the following requirements:

Supported operating systems

  • Windows 11
  • Windows 10

Minimum hardware requirements

  • 1 GHz dual-core CPU or better
  • 1 GB RAM or higher, if required by OS (2 GB recommended)
  • 2 GB free disk space

Average resource consumption

The following is the average resource consumption for Alert Logic XDR once installed. These values do not include the consumption of the managed modules, as they have their own resource requirements.

  • Memory: 7 MB
  • CPU usage: 0.024%

Network access requirements

Your endpoints must have access these URLS. We do not support proxies at this time.

  • https://cdn.fortra.com
    You will get the following error when trying to access this URL, even if your network can access it: "<Error> <Code>AccessDenied</Code>".
  • https://agent.epm-prod.cloudops.fortradev.com
    You will get the following error when trying to access this URL, even if your network can access it: "400 Bad Request".

For monitoring and control modules

EDR and DLP capabilities are delivered through Monitoring and Control modules.

  • https://*.dgsecure.com
  • https://*.msp.digitalguardian.com

Windows security application exclusions

To reduce the likelihood of an impact or incompatibility between your organization’s existing security applications, antivirus (AV) products, and Alert Logic XDR running on machines, Fortra requires the following exclusions be incorporated into your security application's configurations to prevent them from scanning or injecting the Alert Logic XDR files and folders. Impacts on Alert Logic XDR vary from overall slowness to loss of functionality. Alert Logic XDR may be used to install and manage other Fortra modules. Those modules have their own, additional exclusion requirements.

Folder level exclusions

  • %programfiles%\Alert Logic\XDR
    Example: C:\Program Files\Alert Logic\XDR
  • %programdata%\Fortra\endpoint
    Example: C:\ProgramData\Fortra\endpoint

Services to exclude

Alert Logic XDR

File level exclusions

C:\Program Files\Alert Logic\XDR\AlertLogicXDR.exe

Using MD5 and SHA hashes

If you prefer to use the MD5 hash or the SHA-1 hash of the executables, these will depend on the version or build of the Alert Logic XDR actually deployed. You can calculate the hashes with each separate deployed build using the certutil command from a command prompt:

certutil -hashfile <file path> <digest>

Example: certutil -hashfile "C:\Program Files\AlertLogic\XDR\AlertLogicXDR.exe" SHA1

  • When upgrading Agents from one build to another or testing a specific build, you need to have the hashes for all deployed versions excluded by your Anti-Virus or security application.
  • The Alert Logic XDR auto-update functionality should not be used in conjunction with hash based exclusions.

Monitoring & Control modules

EDR and DLP capabilities are delivered through Monitoring and Control modules.

Folder level exclusions

  • %programfiles%\dgagent\
    Example: C:\Program Files\DGAgent
  • %SYSTEMROOT%\Temp\acit\
    Example: C:\Windows\Temp\acit (up to version 7.8.0)
  • %programdata%\dgagent\
    Example: C:\ProgramData\DGAgent

Services to exclude

  • Usage History Monitor
  • Usage History Scanning Monitor

File level exclusions

  • C:\windows\system32\dgapi.dll (Up to version 7.4.2)
  • C:\windows\system32\dgapi64.dll
  • C:\windows\system32\DGShlExt.dll
  • C:\windows\system32\drivers\dgdmk.sys
  • C:\windows\system32\drivers\DgDmkDisk.sys
  • C:\windows\system32\drivers\dgfs.sys
  • C:\windows\system32\drivers\dglfs.sys
  • C:\windows\system32\drivers\DGMaster.sys
  • C:\windows\system32\drivers\DGMinFlt.sys (7.7.0 and above)
  • C:\windows\SysWOW64\DgApi.dll
  • C:\windows\SysWOW64\DgDecrypt.exe
  • C:\Program Files\DGAgent\crashpad_handler.exe (7.9.0 and above)
  • C:\Program Files\DGAgent\DG-Diag.exe
  • C:\Program Files\DGAgent\DgAdmin.exe (7.6.0 and above)
  • C:\Program Files\DGAgent\DgAgent.exe
  • C:\Program Files\DGAgent\DGCI2.dll
  • C:\Program Files\DGAgent\DGCipher.exe
  • C:\Program Files\DGAgent\DGCIVrfy.dll
  • C:\Program Files\DGAgent\DGClassify.dll
  • C:\Program Files\DGAgent\DgClient.dll
  • C:\Program Files\DGAgent\DGFolderScan.exe
  • C:\Program Files\DGAgent\DGImager.dll
  • C:\Program Files\DGAgent\DGImager64.dll
  • C:\Program Files\DGAgent\DgProbe.exe
  • C:\Program Files\DGAgent\DgPrompt.exe
  • C:\Program Files\DGAgent\DgScan.exe
  • C:\Program Files\DGAgent\DgService.exe
  • C:\Program Files\DGAgent\DgUpdate.exe
  • C:\Program Files\DGAgent\DgWip.exe
  • C:\Program Files\DGAgent\dg_UsrEncrProvider.exe
  • C:\Program Files\DGAgent\iftest.exe
  • C:\Program Files\DGAgent\msvcp71.dll
  • C:\Program Files\DGAgent\msvcr71.dll
  • C:\Program Files\DGAgent\XceedZip.dll
  • C:\Program Files\DGAgent\XceedZipX64.dll
  • C:\Program Files\DGAgent\DgUpdate\DgUpdate.exe
  • C:\Program Files\DGAgent\plugins\09D849B6-32D3-4a40-85EE-6B84BA29E35B\AE_Agent_Plugin.dll (Up to version 7.4.2)
  • C:\Program Files\DGAgent\plugins\09D849B6-32D3-4a40-85EE-6B84BA29E35B\AE_Agent_Plugin64.dll
  • C:\Program Files\DGAgent\plugins\09D849B6-32D3-4a40-85EE-6B84BA29E35B\AE_MailSensor_Plugin.dll
  • C:\Program Files\DGAgent\plugins\09D849B6-32D3-4a40-85EE-6B84BA29E35B\AE_MailSensor_Plugin64.dll
  • C:\Program Files\DGAgent\plugins\09D849B6-32D3-4a40-85EE-6B84BA29E35B\AME_NotesSensor.dll
  • C:\Program Files\DGAgent\plugins\09D849B6-32D3-4a40-85EE-6B84BA29E35B\AME_NotesSensor64.dll
  • C:\Program Files\DGAgent\plugins\09D849B6-32D3-4a40-85EE-6B84BA29E35B\AME_OutlookSensor.dll
  • C:\Program Files\DGAgent\plugins\09D849B6-32D3-4a40-85EE-6B84BA29E35B\AME_OutlookSensor64.dll
  • C:\Program Files\DGAgent\plugins\09D849B6-32D3-4a40-85EE-6B84BA29E35B\AME_SmtpSensor.dll
  • C:\Program Files\DGAgent\plugins\09D849B6-32D3-4a40-85EE-6B84BA29E35B\AME_SmtpSensor64.dll
  • C:\Program Files\DGAgent\plugins\09D849B6-32D3-4a40-85EE-6B84BA29E35B\XceedZip.dll
  • C:\Program Files\DGAgent\plugins\09D849B6-32D3-4a40-85EE-6B84BA29E35B\XceedZip64.dll
  • C:\Program Files\DGAgent\plugins\8B13081C-AF44-458e-80E9-642D6A755D77\AFE_Agent_Plugin.dll
  • C:\Program Files\DGAgent\plugins\8e4ea70a-6128-4b57-bd3f-8e9e0f0da6bb\COM_Sensor.dll
  • C:\Program Files\DGAgent\plugins\8e4ea70a-6128-4b57-bd3f-8e9e0f0da6bb\COM_Sensor64.dll
  • C:\Program Files\DGAgent\plugins\8e4ea70a-6128-4b57-bd3f-8e9e0f0da6bb\COM_SensorMetro.dll
  • C:\Program Files\DGAgent\plugins\8e4ea70a-6128-4b57-bd3f-8e9e0f0da6bb\COM_SensorMetro64.dll
  • C:\Program Files\DGAgent\plugins\8e4ea70a-6128-4b57-bd3f-8e9e0f0da6bb\OS_Plugin.dll
  • C:\Program Files\DGAgent\plugins\8e4ea70a-6128-4b57-bd3f-8e9e0f0da6bb\OS_Plugin64.dll
  • C:\Program Files\DGAgent\plugins\F4B0439E-E8E0-452F-95B6-06BBFAC8C668\IM_Agent_Plugin.dll
  • C:\Program Files\DGAgent\plugins\F4B0439E-E8E0-452F-95B6-06BBFAC8C668\IM_Agent_Plugin64.dll
  • C:\Program Files\DGAgent\plugins\F4B0439E-E8E0-452F-95B6-06BBFAC8C668\IM_Sensor.dll
  • C:\Program Files\DGAgent\plugins\F4B0439E-E8E0-452F-95B6-06BBFAC8C668\IM_Sensor64.dll
  • C:\Program Files\DGAgent\Verity\kv\_nti40\bin\filtertestdotnet.exe (7.9.0 and above)
  • C:\Program Files\DGAgent\Verity\kv\_nti40\bin\filtertest.exe (7.9.0 and above)
  • C:\Program Files\DGAgent\Verity\kv\_nti40\bin\filter.exe (7.9.0 and above)
  • C:\Program Files\DGAgent\Verity\kv\_nti40\bin\kvoop.exe
  • C:\Program Files\DGAgent\Verity\kv\_nti40\bin\tstxtract.exe (7.9.0 and above)
  • C:\Program Files\DGAgent\Verity\miniIdol\IDOL\agentstoremini\agentstore.exe

Physical address paths

Some security products may also access and block files by way of physical device paths on Windows 10.

Examples:

  • \Device\HarddiskVolume2\Windows\SysWOW64\DgApi.dll
  • \Device\HarddiskVolume2\Windows\System32\DgApi64.dll

For more background see McAfee knowledge base article VirusScan Enterprise exclusions and hardware paths (physical address versus logical address)

If a problem persists after applying the above exceptions based on the system drive (usually C: ) then apply exclusions to the security application based on the drive path format also.

Using MD5 and SHA hashes

If you prefer to use the MD5 hash or the SHA-1 hash of the executables, these will depend on the version or build of the Agent actually deployed. You can calculate the hashes with each separate deployed build using the certutil command from a command prompt:

certutil -hashfile <file path> <digest>

Example: certutil -hashfile “c:\Program Files\dgagent\dgwip.exe” SHA1

When upgrading Alert Logic XDR from one build to another or testing a specific build, you need to have the hashes for all deployed versions excluded by your antivirus or security application.

Install Alert Logic XDR

- make sure mention that you will need to tell your 3P EDR about Forta EDR by whitelisting the binaries etc.

Follow these instructions to install the Alert Logic XDR on your endpoints so they can be accessed and utilized within the Endpoint Manager.

The Alert Logic XDR can be installed manually on individual systems or using a script to push to multiple systems in an environment. See Installation requirements before installing Alert Logic XDR.

In Endpoint Manager

  1. On the Endpoints page, click Download Agent.
  2. Enter the number of days you would like your Alert Logic XDR installer to be valid for. The recommended number of days is 45 and the maximum number of days is 1000. The installer contains a temporary, self-signed p12 certificate that is used to establish secure communication with the Endpoint Manager. This certificate is later replaced by a permanent certificate for continued secure interaction.

    To open the installation instructions in a new tab, click Installation Instructions.

  3. Click Download.
  4. A .zip file with the installer and provisional key will begin downloading.

On your Windows endpoint system

  1. Open a command prompt as Administrator.
  2. Navigate to the location of the installer on your system.
  3. To run a quiet install of the agent while also downloading the install logs, run the following command:
    msiexec.exe /i AlertLogicXDR_x.x.x.msi /quiet /L*v installerLogs.log

    Where x.x.x is the version of the agent you are installing. You can find the full name of the msi file by looking in the zip file you downloaded.

  4. To ensure the installation was successful, check the following:
    1. Open the installerlogs.log file that was installed with the agent. It will be in the same folder as the installer. At the bottom, you should see the message: MainEngineThread is returning 0.
    2. Open your Windows settings and go to Applications. Alert Logic XDR should be listed.
    3. Open Windows Services, the Alert Logic XDR should be running.

In Endpoint Manager

The endpoint where you just installed the agent should now appear on the Endpoints page.

Automatic updates

Once installed, Alert Logic XDR will be automatically updated as needed on your endpoint. As soon as your endpoint identifies that an update is available, it will auto-update.

Validate the installation

To validate your XDR installation, run a log search from the Alert Logic Console.

Configure simple response for Alert Logic XDR

For information on configuring simple response for Alert Logic XDR, see Configure Simple Response for Alert Logic XDR: Managed Host Isolation.

Uninstall Alert Logic XDR on Windows

To uninstall the Alert Logic XDR on your endpoints, do the following:

  1. Open a command prompt as Administrator.
  2. Run the following command:

    wmic product where "name LIKE 'Alert Logic XDR%'" call uninstall

  3. Alert Logic XDR will be uninstalled from your endpoint.